fix: walk full projection expressions for column refs

The projection check used a narrow `direct_col_ref` shortcut that only
matched bare Identifier and 2-segment CompoundIdentifier — anything
wrapped in a function call, CASE, CAST, or arithmetic was silently
unvalidated. `SELECT LENGTH(bogus) FROM users` and friends would
pass clean while WHERE flagged the same identifier.

Replace the projection loop with the same `validate_expr_column_refs`
walker that WHERE/HAVING/JOIN ON use. The walker already knows how to
descend into BinaryOp / Function args / Case / Cast / Like / Between /
IsNull family / etc., so this is a single-line dispatch change once
the helpers were unified.

Drop the now-unused `direct_col_ref` and merge
`resolve_unqualified_for_projection` into `resolve_unqualified` so
every clause emits the same "Column X not found in table Y" /
"not found in none of: …" message format. Existing tests already
match on column-name containment so no breakage.

Inlining clippy fix: collapse `SetExpr::Insert(inner) → if let
Statement::Insert{…} = inner` into a single nested match in
validate_set_expr.

10 new tests cover function calls (valid + invalid), nested function
calls, CASE branches and conditions, CAST, arithmetic BinaryOp,
qualified identifiers inside function args, and that COUNT(*) — a
SelectItem::QualifiedWildcard — doesn't false-positive.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: davidsmfreire

sqlshield/src/validation/clauses/select.rs

@@ -192,37 +192,16 @@ fn column_in_relation(
     None
 }
 
+/// Resolve an unqualified column reference against the visible relations.
+/// The error message names the specific table(s) the column was missing
+/// from when at least one visible relation is known to the schema; if no
+/// known relation contains this column, table-not-found errors emitted by
+/// the FROM walk already covered the situation, so we stay quiet.
 fn resolve_unqualified(
     col: &str,
     relations: &[VisibleRelation<'_>],
     schema: &schema::TablesAndColumns,
     extras: &HashMap<&str, HashSet<&str>>,
-) -> Option<String> {
-    let mut any_known = false;
-    for rel in relations {
-        match column_in_relation(col, rel, schema, extras) {
-            Some(true) => return None,
-            Some(false) => any_known = true,
-            None => {}
-        }
-    }
-    if !any_known {
-        // None of the visible relations are in the schema: table-not-found
-        // errors from the FROM check already covered this; don't pile on.
-        return None;
-    }
-    Some(format!("Column `{col}` not found in any visible table"))
-}
-
-/// Like [`resolve_unqualified`] but carries a richer error message that
-/// names the specific table(s) the column was searched in. Used by the
-/// projection check, which historically reported "not found in table X"
-/// rather than the more generic "not found in any visible table".
-fn resolve_unqualified_for_projection(
-    col: &str,
-    relations: &[VisibleRelation<'_>],
-    schema: &schema::TablesAndColumns,
-    extras: &HashMap<&str, HashSet<&str>>,
 ) -> Option<String> {
     let mut not_found_in: Vec<&str> = Vec::new();
     for rel in relations {
@@ -432,21 +411,17 @@ impl ClauseValidation for Select {
             }
         }
 
+        // Walk every projection expression with the same scope-aware visitor
+        // used by WHERE/HAVING/etc. — catches column refs inside function
+        // calls, CASE branches, CAST, arithmetic, and nested expressions
+        // that the old `direct_col_ref` shortcut silently skipped.
+        // Wildcard / QualifiedWildcard items have no column to validate.
         for item in &select.projection {
             let expr = match item {
                 SelectItem::UnnamedExpr(e) | SelectItem::ExprWithAlias { expr: e, .. } => e,
                 _ => continue,
             };
-            let (col_name, col_qualifier) = direct_col_ref(expr);
-            let Some(col_name) = col_name else { continue };
-
-            let err = match col_qualifier {
-                Some(qual) => resolve_qualified(qual, col_name, &visible, schema, extras),
-                None => resolve_unqualified_for_projection(col_name, &visible, schema, extras),
-            };
-            if let Some(err) = err {
-                errors.push(err);
-            }
+            validate_expr_column_refs(expr, &visible, schema, extras, &no_aliases, &mut errors);
         }
 
         // WHERE / HAVING / GROUP BY column references. `visible` and
@@ -475,18 +450,3 @@ impl ClauseValidation for Select {
         errors
     }
 }
-
-/// Pull a direct column reference out of an expression, ignoring wrappers
-/// we don't yet drill into (function calls, CASE, casts, etc.). Returns
-/// `(column, qualifier)` — the qualifier is the table-or-alias prefix in a
-/// 2-segment compound identifier.
-fn direct_col_ref(expr: &Expr) -> (Option<&str>, Option<&str>) {
-    match expr {
-        Expr::Identifier(identifier) => (Some(identifier.value.as_str()), None),
-        Expr::CompoundIdentifier(identifier) if identifier.len() == 2 => (
-            Some(identifier[1].value.as_str()),
-            Some(identifier[0].value.as_str()),
-        ),
-        _ => (None, None),
-    }
-}

sqlshield/src/validation/mod.rs

@@ -199,44 +199,38 @@ fn validate_set_expr<'a>(
         // body. Dispatch back to the DML validators so the inner statement
         // is checked and the surrounding CTEs (carried in `extras`) stay in
         // scope.
-        SetExpr::Insert(inner) => {
-            if let Statement::Insert {
-                table_name,
-                columns,
-                source,
-                ..
-            } = inner
-            {
-                errors.extend(clauses::insert::validate_insert(
-                    table_name, columns, schema,
+        SetExpr::Insert(Statement::Insert {
+            table_name,
+            columns,
+            source,
+            ..
+        }) => {
+            errors.extend(clauses::insert::validate_insert(
+                table_name, columns, schema,
+            ));
+            if let Some(source_query) = source {
+                errors.extend(validate_query_with_scope(
+                    source_query.as_ref(),
+                    schema,
+                    extras,
                 ));
-                if let Some(source_query) = source {
-                    errors.extend(validate_query_with_scope(
-                        source_query.as_ref(),
-                        schema,
-                        extras,
-                    ));
-                }
             }
         }
-        SetExpr::Update(inner) => {
-            if let Statement::Update {
+        SetExpr::Update(Statement::Update {
+            table,
+            assignments,
+            from,
+            selection,
+            ..
+        }) => {
+            errors.extend(clauses::update::validate_update(
                 table,
                 assignments,
-                from,
-                selection,
-                ..
-            } = inner
-            {
-                errors.extend(clauses::update::validate_update(
-                    table,
-                    assignments,
-                    from.as_ref(),
-                    selection.as_ref(),
-                    schema,
-                    extras,
-                ));
-            }
+                from.as_ref(),
+                selection.as_ref(),
+                schema,
+                extras,
+            ));
         }
         _ => {}
     }

sqlshield/tests/projection_expressions.rs

@@ -0,0 +1,77 @@
+//! Projection items beyond bare identifiers — function calls, CASE, CAST,
+//! arithmetic. The WHERE-side walker already covers these; previously the
+//! projection check used a `direct_col_ref` shortcut that only matched
+//! Identifier / 2-segment CompoundIdentifier and silently passed everything
+//! else.
+
+use sqlshield::validate_query;
+
+const SCHEMA: &str = "
+    CREATE TABLE users (id INT, name VARCHAR(255), age INT);
+";
+
+fn run(sql: &str) -> Vec<String> {
+    validate_query(sql, SCHEMA).expect("SQL/schema should parse")
+}
+
+#[test]
+fn function_call_on_valid_column() {
+    assert!(run("SELECT LENGTH(name) FROM users").is_empty());
+}
+
+#[test]
+fn function_call_on_unknown_column_is_reported() {
+    let errs = run("SELECT LENGTH(bogus) FROM users");
+    assert!(errs.iter().any(|e| e.contains("`bogus`")), "got: {errs:?}");
+}
+
+#[test]
+fn case_when_branch_unknown_column_is_reported() {
+    let errs = run("SELECT CASE WHEN id > 0 THEN bogus ELSE name END FROM users");
+    assert!(errs.iter().any(|e| e.contains("`bogus`")), "got: {errs:?}");
+}
+
+#[test]
+fn case_condition_unknown_column_is_reported() {
+    let errs = run("SELECT CASE WHEN typo > 0 THEN name END FROM users");
+    assert!(errs.iter().any(|e| e.contains("`typo`")), "got: {errs:?}");
+}
+
+#[test]
+fn cast_unknown_column_is_reported() {
+    let errs = run("SELECT CAST(bogus AS TEXT) FROM users");
+    assert!(errs.iter().any(|e| e.contains("`bogus`")), "got: {errs:?}");
+}
+
+#[test]
+fn arithmetic_unknown_column_is_reported() {
+    let errs = run("SELECT id + bogus FROM users");
+    assert!(errs.iter().any(|e| e.contains("`bogus`")), "got: {errs:?}");
+}
+
+#[test]
+fn nested_function_call() {
+    let errs = run("SELECT LENGTH(UPPER(bogus)) FROM users");
+    assert!(errs.iter().any(|e| e.contains("`bogus`")), "got: {errs:?}");
+}
+
+#[test]
+fn function_with_aliased_qualifier_resolves() {
+    // `u.name` inside a function — qualified identifier in nested context.
+    assert!(run("SELECT LENGTH(u.name) FROM users u").is_empty());
+}
+
+#[test]
+fn function_with_aliased_qualifier_unknown_column() {
+    let errs = run("SELECT LENGTH(u.bogus) FROM users u");
+    assert!(
+        errs.iter()
+            .any(|e| e.contains("`bogus`") && e.contains("`users`")),
+        "got: {errs:?}"
+    );
+}
+
+#[test]
+fn count_star_does_not_error() {
+    assert!(run("SELECT COUNT(*) FROM users").is_empty());
+}